Health care organizations face increased security risks because of third-party software use, according to the Office for Civil Rights (OCR).

Security Risk

The Office for Civil Rights (OCR) issued a bulletin outlining the need for health care organizations to keep third-party software updated frequently. Released in June 2016, the bulletin details the rising security risks and vulnerabilities that health care organizations need to be aware of when using third-party application software. Third-party software includes applications organizations can purchase or use for free, such as Acrobat Adobe or Java.

Within the bulletin, the OCR also summarizes a study stating that “a majority of companies use third-party applications or software, but less than 1 in 5 companies have [sic] performed verification on these third-party software.”

Additionally, the study suggests: “a fair amount have third-party software that remain unpatched.” Patches are important for all software, not just the operating systems. A patch is a piece of software designed to update a program in order to fix or improve the program. One example given by Adobe states that one of their earlier versions of the Adobe Flash Player contains critical vulnerabilities. When detailing the severity of the vulnerability, Adobe stated: “Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” An attacker taking control of the affected system could very well mean a security breach for Covered Entities or Business Associates.

To best protect the organization, patches should be installed as soon as the organization is aware that a patch is available. However, the OCR reminds organizations to assess patches before deploying them to ensure the patch won’t create another vulnerability. The organization should have a documented Patch Management Policy that outlines this.

Addressing this issue can be a challenge for many smaller organizations who don’t have the IT knowledge regarding the software and security involved. If you’re a smaller health care organization, check out the OCR’s bulletin. The bulletin provides some guidance on determining the security of individual software.

According to the OCR’s recommendations, health care organizations should start by defining specific criteria for how they will use the third-party software. Then, they should ensure that their employees use the applications according to the set criteria. Organizations should also conduct security testing on the software, or ask if the vendor has conducted testing to better determine the security of the application. Organizations should ask questions like: What were the results? Who conducted the testing? etc.

For more help with required policies or determining vulnerabilities, use the HIPAAgps templates and risk assessment.